WordPress: 8 Security Tips To Protect Your Website
Is your WordPress website secure? WordPress is the content management system (CMS) used by 25% of all websites, representing a CMS market share of 58.7%, according to W3 Techs Web Technology Surveys. These websites are being compromised by hackers. Beyond data, hacked websites are often used as an email relay for spam or set up as a temporary web server for illegal activity. How does this happen? Automated scripts are continually being written to search the Internet for known software security issues. To keep your site safe and secure we’ve put together a list of 8 simple tips.
- Strong Passwords – It may seem basic, but many companies don’t use complex passwords. We’ve unhacked several sites where the user name is ‘admin’ or ‘password’. If you can remember your password it’s likely not secure enough. It’s critical to use strong passwords for your server and website admin. However, it is also important to insist on good password practices for your users. This site will generate random, but strong passwords at the push of a button http://strongpasswordgenerator.com. To enhance security you can also set up double authentication via a smartphone swipe through programs like https://getclef.com
- Updates – Another easy thing to do. Update Themes, Plug-ins, Core WordPress (i.e. the latest version is 4.3.1) on an ongoing basis. Updates are issued for a variety of reasons including feature and security enhancements. If you aren’t regularly updating your website, you could be sending an invitation to hackers via a CMS vulnerability that has already been fixed. We recommend auto updates if you are managing the site yourself rather than not updating at all.
- Backup Your Website – The number one tool for security is backup. Backup Buddy and VaultPress are great commercial solutions whereas Updraft or BackWPup are good free alternatives. Always backup your website off of the server to services such as Dropbox or an equivalent. If your website becomes compromised, all of your data will be protected. Remote server backup will also offload memory and performance issues associated with same server back ups.
- Permission/Access Control – Who has access to your website and server? If someone was to break in would they be able to access your files? Decide who in your company will manage the appointed roles and designate only those individuals to the following areas:
- Subscriber – Comment only
- Contributor – Post or Pages access but they have to be approved by the editor or administrator
- Author – Can post pages and publish their own work
- Editor – Has complete control of any publishing including editing other posts
- Administrator – access to WordPress Dashboard including code access
Give employees and clients the lowest level of access needed. This reduces unnecessary access and potential security problems.
- Hosting – You get what you pay for. Your hosting agreement should include backups that are in multiple locations. Also check to see how long backups are kept and if they are tested to see if your data can be properly restored. Secure servers have 24 hour security monitoring, biometric scanning and backup generators. Ensure your provider offers these services.
- Separate cPanels – cPanels provide capabilities for administrators and website owners to control the various aspects of a website through a standard web browser. It’s best to host with a provider that offers ONE cPanel per website. If there are multiple websites on one cPanel, the weakest link can create problems for all of the hosted sites. Separate cPanels mean a breach can be more quickly isolated, while all of the other websites are protected.
- Cyber Security Knowledge – Knowledge is power. To keep informed about the latest cyber security issues here is a list of resources that you might find helpful:
- http://exploit-db.com Known exploits
- http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/index-eng.aspx Government notifications – Canada
- https://www.us-cert.gov Government notifications – United States
- http://sucuri.net More WordPress Focused
- http://wordfence.com WordPress hacking map
- http://map.norsecorp.com Hacking map
- http://www.digitalattackmap.com Distributed Denial of Service Map
- Let the Pros Fix It – If you are hacked do not attempt to update or fix anything yourself. Do not reset the database or change the files. This could result in lost data. It’s best to call an ethical hacker or cyber security resource. Many times all or most the data can be restored, even if compromised, as long as it hasn’t been erased.
If you have any questions or concerns about your website, please contact us at firstname.lastname@example.org